One suggestion for using more NICs might be to configure the Neutron bridge on a separate NIC from the provisioning NIC. The NIC carrying the bridge should be configured to not use DHCP, and the bridge doesn't need to have an IP address if it is used only for hosting Tenant networks. In fact, you can create two bridges, one with the default name of br-ex on NIC2, and one with the name br-tenant on NIC3. That would allow you to host Tenant networks on br-tenant, and External networks on br-ex. Here is an example of the configuration for a Controller: network_config: - type: interface name: nic1 use_dhcp: false dns_servers: get_param: DnsServers addresses: - ip_netmask: list_join: - / - - get_param: ControlPlaneIp - get_param: ControlPlaneSubnetCidr routes: - ip_netmask: 169.254.169.254/32 next_hop: get_param: EC2MetadataIp - type: ovs_bridge name: bridge_name use_dhcp: false # No IP address needed on the bridge dns_servers: get_param: DnsServers members: - type: interface name: nic2 use_dhcp: false # force the MAC address of the bridge to this interface primary: true - type: vlan vlan_id: get_param: ExternalNetworkVlanID addresses: - ip_netmask: get_param: ExternalIpSubnet routes: - default: true next_hop: get_param: ExternalInterfaceDefaultRoute - type: ovs_bridge name: br-tenant dns_servers: get_param: DnsServers use_dhcp: false members: - type: interface name: nic3 use_dhcp: false primary: true - type: interface name: nic4 use_dhcp: false # This effectively disables NIC4 And here is the corresponding example for a Compute node: network_config: - type: interface name: nic1 use_dhcp: false dns_servers: get_param: DnsServers addresses: - ip_netmask: list_join: - / - - get_param: ControlPlaneIp - get_param: ControlPlaneSubnetCidr routes: - ip_netmask: 169.254.169.254/32 next_hop: get_param: EC2MetadataIp - default: true next_hop: get_param: ControlPlaneDefaultRoute - type: interface name: nic2 use_dhcp: false # This effectively disables NIC2 - type: ovs_bridge name: br-tenant dns_servers: get_param: DnsServers use_dhcp: false members: - type: interface name: nic3 use_dhcp: false primary: true - type: interface name: nic4 use_dhcp: false # This effectively disables NIC4 Note that there is no br-ex on the compute node in this example, so you would pass the following in your network-environment.yaml to enable tenant networks on the br-tenant: parameter_defaults: NeutronNetworkVLANRanges: "tenant:100:999" NeutronBridgeMappings: "datacentre:br-ex,tenant:br-tenant" Then you can create external provider networks with the following command: neutron net-create ext_net --provider:network_type vlan \ --provider:physical_network datacentre --provider:segmentation_id \ --router:external When tenants create networks, the NeutronNetworkVLANRanges parameter ensures that tenant VLANs will be attached to the "tenant' network and "br-tenant" bridge. You could do the same with additional bridges, and assign a different VLAN range to each bridge, like so: parameter_defaults: NeutronNetworkVLANRanges: "tenant:100:499,tenant2:500:999" NeutronBridgeMappings: "datacentre:br-ex,tenant:br-tenant,tenant2:br-tenant2"